Post navigation

Nervous reader, were you unsettled by the recent news that Yahoo’s email address recycling scheme had resulted in new account holders receiving past account owners’ personal details, including passwords and even an invitation to a wedding?

Did you fear that Yahoo might not be applying itself with all due gusto to users’ security, in spite of its having stated that it takes the security and privacy of its users very, very seriously?

Fret not. The exclamation-marked one has proved that it’s devoted to security.

How, you well may ask?

It paid a bug bounty to a security company, for finding a vulnerability that allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and tricking him or her into clicking.

In light of having been paid for that hole, the security company, Switzerland-based High-Tech Bridge, put a price tag on exactly how much Yahoo values their email security.

That would be $12.50 (£7.71).

The company had decided to test how quickly security holes on well-known, heavily trafficked sites such as Yahoo can be found and how the email provider reacts to a vulnerability notice.

Within 45 minutes of starting the research on 18 September, the company had netted a “classic reflected XSS vulnerability”, affecting the marketingsolutions.yahoo.com domain.

High-Tech Bridge speedily reported the bug, and Yahoo speedily replied in less than 24 hours.

Unfortunately, Yahoo was just letting the security outfit know that the bug had already been reported.

Its message:

Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future.

The reply didn’t provide the security company with evidence that the vulnerability had already been reported, but OK. Fine.

Its researchers went on poking, and in short order, they found more issues.

In fact, by 22 September, High-Tech Bridge had discovered three more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.

The company reported the issues on Monday, 23 September, letting Yahoo know that each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by, again, sending a specially crafted link to a logged-in Yahoo user and convincing him/her to click on it.

Yahoo’s response was a bit slower in coming this time around.

Within 48 hours, Yahoo “warmly thanked” High-Tech Bridge and offered to lavish the company with the princely sum of $12.50 reward per one vulnerability.

If your first inclination was like mine, of course, you’d warn High-Tech Bridge: Don’t spend it all in one place, guys!

Unfortunately, they do have to spend it all in one place, because Yahoo isn’t giving them cash, exactly.

Rather, the funds were dispersed as a discount code to spend in the Yahoo Company Store, which sells Yahoo’s corporate swag: t-shirts, cups, Inkjoy Retractable Pens, a 7×9″ mousepad festooned with the image of balloons, or the Yahoo Unisex Baby Set, which features, among other things, an Emoticon Long Sleeve Onesie (6-12 month).

Except the Yahoo Unisex Baby Set actually costs $61.

I’m afraid you’ll have to discover a lot more XSS vulnerabilities to score that Yahoo Company Store item, High-Tech Bridge!

High-Tech Bridge is a tad miffed.

Ilia Kolochenko, High-Tech Bridge CEO, said this:

Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.

Of course, money isn’t the only motivation for security researchers, Kolochenko went on to say. Ego is right up there.

That’s why, he said, companies like Google not only pay out much higher financial rewards, but they also maintain a Hall of Fame where all security researchers who have ever reported security vulnerabilities are publicly listed.

He says:

If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.

How much more do other companies pay out in bug bounties?

As of July 2013, when Microsoft paid its first bug bounty for a hole in Internet Explorer, Google had paid out about $580,000 over three years for 501 Chrome bugs, and Firefox had paid out about $570,000 over the same period for 190 bugs.

A study [PDF] from the University of California, Berkeley has found that paying bounties to independent security researchers is a better investment than hiring employees to do it.

If you compare bug bounty payouts with just one full-time salaried security researcher digging through code, at, say, $100,000 per year, it’s obvious to see that the savings to a company can be huge.

In fact, the study found that bounty programs “appear to be 2-100 times more cost-effective than hiring expert security researchers to ﬁnd vulnerabilities.”

High-Tech Bridge quoted Brian Martin, President of the non-profit Open Security Foundation, who commented on the High-Tech Bridge experiment, noting that some vendors pay their janitors more money to clean their offices than they do to security researchers who find vulnerabilities that could put thousands of their customers at risk.

High-Tech Bridge, for its part, says it’s decided to hold off on further research.

Yahoo, is this what you wanted to encourage with your first bug bounty payout? Security researchers throwing in the towel instead of helping to make your products safer to use?

I hope not.

Readers, what do you think? Do you think that the low payout means that Yahoo likely evaluated the XSS vulnerabilities and didn’t think much of them?

I most certainly could not find these vulnerabilities because I lack said experience and skills. But I think whoever does have the skills and experience should be paid more than $12.50/vulnerability. Anyone paying these bounties should consider the amount of time it takes to find, test, and report a security flaw by an IT professional. If we use what is probably the extreme low end of the salary range for someone with the skills, say ~45,000/year, that is still about $22/hour. How many hours does it normally take? I don't know, but probably more than 1.

On top of that, these professionals are saving companies huge amounts of money by reporting these flaws before they become breaches!!! The researchers and reporters deserve better, and Yahoo knows it.

Why would this Swiss outfit expect to get paid at all? They openly admitted that they weren't after money…they found the bug as part of research of their own, not for the sake of finding the bug and being paid.

Not saying Yahoo! isn't cheap, but High-Tech Bridge can't have their cake and eat it.

It baffles me to see a company like Yahoo still not clarifying as to why this happened. Maybe they didn’t intend to do it. Maybe they did. One would expect some what of a clarification after this issue has been floating around for almost 2-3 days. I am definitely interested in knowing how they came up with the 12.5$ figure.

This bring me to my next question which is somewhat unrelated to this –
How soon should one expect to hear back from a company after reporting a bug in their bug bounty program?
I have read that companies like Google and Facebook respond within 48 hours atleast acknowledging that they have received the information and are actively looking at it. But, I on the other hand have had bad experiences. It has been more than a week and I haven’t received even a “Message Received” automated notification.

Reporting bugs and exploits is risky business.. It is usually safer and much more profitable to sell it on the black market than to report it. We have seen several reports of security researchers reporting bugs only to be arrested, because they did not do it by the book.

The people who work explicitly sell the hacks, are surely not doing it by the book. Its a double standard The impression I have been seeing is:
1. Sell the hack if you're in it for the money,
2 Or If you're are reporting to protect the people then expect nothing, and if you break the protocol expect to go to jail like the rest.